WiFi Insecurity
A tour of common attacks on WiFi networks
Information Security Consultant @ Blit-Tech
Software Developer @ Shelter Insurance
Email: nabil@blit.tech
What we are doing
Over of WiFi security standards and issues
Krack a network and read packets
No Physical Access Control
Maybe the only issue that is fundamental to wireless security
Most attacks use this to their advantage
src: http://www.cs.sjsu.edu/~stamp/CS265/projects/Spr05/papers/WEP.pdf
The Core Problem is IV is used incorrectly
Key Reuse with RC4
WPA
Wi-Fi Protected Access
WPA Modes
- WPA-Personal: Static pre-shared key (aka. password). Most common in homes and coffee shops.
- WPA-Enterprise: Requires and authentication server, has lots of modes.
- WPS: Wi-Fi Protected Setup. Uses and 8-digit PIN. Broken, disable if you can.
WPA's Keys
- PMK: Pairwise Master Key, derived from the password (WPA-Personal) or the EAP parameters.
- PTK: Pairwise Transient Key,
PMK || ANonce || SNonce || AP MAC || Station MAC
, used to encrypt traffic
- GTK: Group Temporal Key, used to encrypt/decrypt broadcast traffic. Generated by the AP
The WPA Handshake
- The AP sends a nonce
ANonce
and a Key Replay Counter to the station.
- The station constructs the
PTK
. The station sends a nonce SNonce
, a MIC and the Key Replay Counter to the AP.
- The AP verifies message 2 and then sends the
GTK
and another MIC to the station.
- The station verifies the AP's message and sends a confirmation
More Secure Handshake
Eliminates offline dictionary attacks and provides forward secrecy using SAE
Replace WPS
A little complicated, but is based on the devices wanting to connect providing a public key to the router
Unauthenticated Encryption
Not sure how this will work, but Opportunistic Wireless Encryption (OWE) is a strong candidate
What wasn't discussed
- KRACK
- WPS Pin Brute forcing
- TKIP Weaknesses
- Captive Portals
- Router-specific issues
- Lesser known issues
- "Regular" network attacks